dockerdocker-composeldapbitnamigitea

Custom gitea image doesn't find user with Docker Compose


I'm developing a Docker infrastructure with Ansible and Docker Compose and I have a problem with my custom image of Gitea. I want to use a custom image because I need to implement authentication via LDAP. The error that i get inside the container log is:

sudo: unknown user: gitea
sudo: error initializing audit plugin sudoers_audit

This is my configuration:

app.ini (of Gitea)

[DEFAULT]
RUN_USER = git
RUN_MODE = prod

...

[database]
PATH = /data/gitea/gitea.db
DB_TYPE = postgres
HOST = db:5432
NAME = gitea
USER = gitea
PASSWD = gitea
LOG_SQL = false

...

Dockerfile

FROM gitea/gitea:1.16.8
RUN apk add sudo
RUN chmod 777 /home
COPY entrypoint /usr/bin/custom_entrypoint
COPY gitea-cli.sh /usr/bin/gitea-cli.sh
ENTRYPOINT /usr/bin/custom_entrypoint

entrypoint

#!/bin/sh
set -e
echo 'Started entrypoint'
while ! nc -z $GITEA__database__HOST; do sleep 1; done;
echo 'Starting operations'
gitea-cli.sh migrate
>- gitea-cli.sh admin auth add-ldap --name ansible-ldap --host 127.0.0.1 --port 1389 --security-protocol unencrypted --user-search-base dc=ldap,dc=vcc,dc=unige,dc=it --admin-filter "(objectClass=giteaAdmin)" --user-filter "(&(objectClass=inetOrgPerson)(uid=%s))" --username-attribute uid --firstname-attribute givenName --surname-attribute surname --email-attribute mail --bind-dn cn=admin,dc=ldap,dc=vcc,dc=unige,dc=it --bind-password admin --allow-deactivate-all
echo 'Ending entrypoint'

gitea-cli.sh

#!/bin/sh
echo 'Started gitea-cli'
USER=git HOME=/home/gitea GITEA_WORK_DIR=/var/lib/gitea sudo -E -u git gitea --config /data/gitea/conf/app.ini "$@"

docker-compose.yaml

db:
    image: postgres:14.3
    restart: always
    hostname: db
    environment:
      POSTGRES_DB: gitea
      POSTGRES_USER: gitea
      POSTGRES_PASSWORD: gitea
    ports:
      - 5432:5432
    volumes:
      - /data/postgres:/var/lib/postgresql/data
    networks:
      - vcc

  openldap:
    image: bitnami/openldap:2.5
    ports:
      - 1389:1389
      - 1636:1636
    environment:
      BITNAMI_DEBUG: "true"
      LDAP_LOGLEVEL: 4
      LDAP_ADMIN_USERNAME: admin
      LDAP_ADMIN_PASSWORD: admin
      LDAP_ROOT: dc=ldap,dc=vcc,dc=unige,dc=it
      LDAP_CUSTOM_LDIF_DIR: /bitnami/openldap/backup
      LDAP_CUSTOM_SCHEMA_FILE: /bitnami/openldap/schema/schema.ldif
    volumes:
      - /data/openldap/:/bitnami/openldap
    networks:
      - vcc

  gitea:
    image: 127.0.0.1:5000/custom_gitea:51
    restart: always
    hostname: git.localdomain
    build: /data/gitea/custom
    ports:
      - 4000:4000
      - 222:22
    environment:
      USER: git
      USER_UID: 1000
      USER_GID: 1000
      GITEA__database__DB_TYPE: postgres
      GITEA__database__HOST: db:5432
      GITEA__database__NAME: gitea
      GITEA__database__USER: gitea
      GITEA__database__PASSWD: gitea
      GITEA__security__INSTALL_LOCK: "true"
      GITEA__security__SECRET_KEY: XQolFkmSxJWhxkZrkrGbPDbVrEwiZshnzPOY
    volumes:
      - /data/gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /data/gitea/app.ini:/data/gitea/conf/app.ini
    # deploy:
    #   mode: global
    depends_on:
      - db
      - openldap
      - openldap_admin
    networks:
      - vcc

Solution

  • User gitea simply don't exist in the image.

    docker run -it --rm --entrypoint /bin/sh gitea/gitea:1.16.8
    / # grep gitea /etc/shadow
    / # grep gitea /etc/passwd
    / # 
    

    The default user is git:

    docker run -it --rm --entrypoint /bin/sh gitea/gitea:1.16.8
    / # tail -1 /etc/passwd
    git:x:1000:1000:Linux User,,,:/data/git:/bin/bash
    / #
    

    There is two solutions:

    Adding gitea user

    Just add adduser in your Dockerfile and it should work:

    FROM gitea/gitea:1.16.8
    RUN adduser -D -s /bin/bash gitea   # <---- HERE
    RUN apk add sudo
    COPY entrypoint /usr/bin/custom_entrypoint
    COPY gitea-cli.sh /usr/bin/gitea-cli.sh
    ENTRYPOINT /usr/bin/custom_entrypoint
    

    You'll also have to change the USER_UID and USER_GID with 1001 (user 1000 is git)

    Using default user

    Just replace user gitea with git in the gitea service of the dockerfile and in the app.ini .

    After that, if you have error like:

    error saving to custom config: open /data/gitea/conf/app.ini permission denied
    

    You have to add chown -R 1000:1000 /data/gitea/conf before gitea-cli.sh migrate in entrypoint.

    Because you share volume between the host and the container, this will work only if you host user have UID 1000. If not you will have to modify the gitea service in the docker-compose.yml.

    Example with an user id of 1002:

    docker-compose.yml:

      gitea:
        image: 127.0.0.1:5000/custom_gitea:51
        restart: always
        [...]
        environment:
          USER: git
          USER_UID: 1002
          USER_GID: 1002
        [...]
        user: 1002:1002 # <----- HERE
    

    and before the ENTRYPOINT in the dockerfile:

    USER git
    ENTRYPOINT ....